Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, May 20, 2011 11:44 PM
Hello,
I am working on rolling out an isolated VLAN where I'd like to be able for the users to utilize several services provided.
For instance, I'd like to allow access to for DNS, AD authentication, and group policy.
I've come across http://support.microsoft.com/kb/832017 and it seems to reflect a robust amount of ports, which is great.
I have started a shortlist, that follows. What am I missing? What are some concerns?
| App protocol | Protocol | Ports |
| Global Catalog server | TCP | 3268, 3269 |
| LDAP | TCP | 389 |
| RPC | TCP | 135, 1024-65535 |
| NetBIOS services | UDP,TCP | 137, 138, 139 |
| DNS | UDP,TCP | 53 |
| ICMP | ICMP | all |
| SMB | TCP | 445 (for group policy?) |
| Kerberos | UDP,TCP | 88, 389, 464 |
Thanks,
Matt Brown
<small> My unanswered threads:
• DFS / RDC size estimations?
• Online backup of Active Directory / ESE DB, command line interface to ESENT.DLL's JetBackup() function. </small>
All replies (6)
Saturday, May 21, 2011 3:00 PM ✅Answered
Many of the ports described in that KB also affect client to DC communications. If you want to find out the exact ports being used, your best bet is to use Netmon or Wireshark to capture the traffic from boot to logon and you can see what ports it's using.
And to add to the list you originally posted, you would need to remove TCP 1024-65535, and add UDP 1024-5000, and UDP 49152-65535 for the emepheral (service response) ports.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, May 23, 2011 9:16 AM ✅Answered
Hi Matt,
Thanks for posting here.
Not sure if you have read the summary article below but it seems quite the answer of your question:
Active Directory and Active Directory Domain Services Port Requirements
http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx
you may also refer to the article below:
http://blog.msfirewall.org.uk/2009/02/resource-guide-for-microsoft-active.html
Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.
Thanks.
Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Monday, May 23, 2011 8:15 PM ✅Answered | 2 votes
Alright, I allowed all the ports through as specified in that second article.
It seems thorough, but is missing the random high ports that I expected (I did not allow these through).
I just finished an inline capture as earlier suggested, and here is a break down of conversation between the workstation and the DC (and DNS [same server]):
DNS lookup for LDAP server: SRV record: _ldap._tdp.[AD SITE]._sites.dc._msdcs.DOMAIN.local
TCP 135: Some conversation
DCERPC (TCP 135): Bind for EPMv4
EPM (TCP 135): Map request & response
TCP 1025: Some conversation
DCERPC (TCP 1025): Bind for RPV_NETLOGON V1.0 (call_id 1)
DCERPC (TCP 1025): RPC_NETLOGON, Request challenge and response
DCERPC (TCP 1025): RPC_NETLOGON, Authenticate request & response
TCP 1025: Some conversation
DCERPC (TCP 1025): Bind for RPV_NETLOGON V1.0 (call_id 3)
RPC_NETLOGON (TCP 1025): GetDomainInfo request & response
TCP 135: some conversation
DNS lookup for kerberos server: SRV record: _kerberos._tdp.[AD SITE]._sites.dc._msdcs.DOMAIN.local
DNS lookup for LDAP server: SRV record: _ldap._tdp.[AD SITE]._sites.dc._msdcs.DOMAIN.local
Workstation pings server
TCP 445: some conversation
Workstation pings server
TCP 445: some conversation
SMB (TCP 445): request & response
SMB (TCP 445): session setup andX request
SMB (TCP 445): tree connect andx request, path \ONSITEDC.DOMAIN.LOCAL\IPC$
Some service related DNS queries
TCP 1025: Some conversation
DCERPC (TCP 1025): Bind for DRSUAPI V4.0 (call_id 1)
DRSUAPI (TCP 1025): some conversations related
RPC_NETLOGON (TCP 1025): some requests & responses
SMB (TCP 445): GET_DFS_REFERRAL for \DOMAIN.local request & response
SMB (TCP 445): GET_DFS_REFERRAL for \DOMAIN.local\sysvol request & response
SMB (TCP 445): tree connect andX request, parth \ONSITEDC.DOMAIN.LOCAL\SYSVOL
A bunch of SMB queries for group policies
... (more conversations, no new ports unless noted below)
TCP 138
TCP 139
TCP 53
Additionally to the WINS / Printer server
TCP 138
TCP 137
ICMP type 8
<small> My unanswered threads:
• DFS / RDC size estimations?
• Online backup of Active Directory / ESE DB, command line interface to ESENT.DLL's JetBackup() function. </small>
Saturday, May 21, 2011 8:30 AM
For win7 and win2k8 2008 R2 (or really Vista+ I think), pretty sure ICMP is no longer required.
Saturday, May 21, 2011 1:56 PM
For security reasons, I don't recommend to allow the use of ICMP.
Have a look to this Microsoft article about needed ports for AD replication over firewall: http://technet.microsoft.com/en-us/library/bb727063.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Saturday, May 21, 2011 2:15 PM
Thanks for your replies, guy.
I'm not actually looking for replication, but simply to allow workstations the ability to authenticate against AD, and utilize DNS.
This is actually XP, Vista, and 7 with 2003 R2.
<small> My unanswered threads:
• DFS / RDC size estimations?
• Online backup of Active Directory / ESE DB, command line interface to ESENT.DLL's JetBackup() function. </small>